Teal blue graphic

Directors to be personally liable for marketing breaches

The government has recently announced that it intends to introduce personal liability and accountability for directors for breaches of data protection law committed by their companies.

The new provision

In an announcement on 23 October 2016, the Department for Culture, Media and Sport confirmed that it will amend the Privacy and Electronic Communications Regulations 2003 (PECR) to hold directors responsible if their companies make nuisance calls.

The upcoming amendment will allow the Information Commissioner's Office (ICO) to impose fines of up to £500,000 on each company director.  If a company has multiple directors, each could be liable for a fine.

The new provision will form part of the Digital Economy Bill, which is expected to receive Royal Assent in early 2017, and reflects the government's intention to strengthen the ICO's enforcement powers in order to protect individuals' rights.

It has been well publicised that the government intends to reinforce its on-going campaign against nuisance callers. It has already introduced measures forcing companies to display their caller ID and has been working with Trading Standards to provide call blocking devices to vulnerable individuals.  The Digital Economy Bill will go further by putting the ICO's Direct Marketing Code on a statutory footing, which will make it easier for the ICO to take action against spam email and nuisance calls.

ICO action

The government's decision to implement the new measure comes after the ICO's statement that it should be able to go further than just imposing fines on the companies responsible for nuisance calls in order to protect individuals.

At a recent parliamentary meeting to discuss the new bill, the Information Commissioner, Elizabeth Denham stated that the ICO has issued fines totalling about £4 million in the last year, but had only been able to collect a small percentage of that figure. This is because many companies tried to avoid paying the fines imposed on them by declaring bankruptcy, only to re-emerge under a new name.

In a statement on 23 October 2016, Elizabeth Denham welcomed the government's new plans for nuisance call directors to face fines, stating: “Making directors responsible will stop them ducking away from fines by putting their company into liquidation. It will stop them leaving by the back door as the regulator comes through the front door”.

What can businesses do to prepare?

It is clear that breaches of PECR should now be a boardroom matter. Directors will be particularly interested to ensure that a thorough review is undertaken of their company's marketing policies and practices to minimise the risk of a personal fine.  

Collection procedures, in particular, should be reviewed to ensure that when personal data is collected, a clear notice is provided to individuals (whether in a privacy policy or elsewhere) describing how the data will be used and that consent is obtained from individuals to use their data for marketing purposes - in accordance with the provisions of the Data Protection Act 1998 and PECR.

If personal data is to be shared or traded with third parties, explicit opt-in consent to marketing must be obtained to share the personal data for marketing purposes. If an organisation buys marketing lists, it must undertake due diligence to satisfy itself that it has the right to use the personal data for the purposes for which it is provided to it by the third party.

Organisations should put in place a robust contract with any third parties who buy, sell, rent or share personal data to ensure that both parties understand how the personal data should be used, who the personal data can be shared with, who will be liable for compliance with data protection provisions and how complaints will be handled and resolved. Ongoing monitoring and testing arrangements must also be put in place to ensure that the parties are complying with the provisions of the contract.

Finally, if an individual asks not be to contacted at any time for marketing purposes, his/her details should be listed on an accurate, up-to-date internal suppression list, rather than simply deleted to ensure that any future marketing campaigns do not include their details.

The ICO has released various guidance for organisations that are involved with electronic and telephone marketing which can act as a useful starting point in order to ensure compliance. 

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all